Employees of the city of Atlanta met that missive when they arrived at work on Tuesday. It followed a Thursday ransomware outbreak that appeared to have begun on a city server and spread to at least seven other systems.

"The city of Atlanta is advising its employees to turn on computers and printers for the first time since the March 22 cyberattack," the city says in a Tuesday statement.

"It is expected that some computers will operate as usual and employees will return to normal use," the statement adds. "It is also expected that some computers may be affected or affected in some way and employees will continue using manual or alternative processes. This is part of the city's ongoing assessment as part of the restoration and recovery process."

Five days later, however, the city said that many systems - including email, Oracle financial software, Siebel customer relationship management applications and Accela "civic engagement" software - had been restored. A self-service portal for residents running Capricorn software, however, remains offline. As a result, residents cannot pay their water bills or for parking tickets. Atlanta's airport WiFi also remains offline, taken down in the aftermath of the outbreak "out of an abundance of caution," according to city officials.

After the infection, the city said it planned to restore affected systems from backups, and said it was reviewing whether any personal, financial or employee information was compromised.

Multiple news reports have suggested that the city was hit with SamSam. Cisco's Talos security group says that SamSam attacks tend to be opportunistic rather than highly targeted.

Atlanta hasn't said how it was breached or how the ransomware spread. Researchers say most opportunistic ransomware attacks tend to be distributed via spear-phishing emails.

Enterprising attackers can also test for default credentials or purchase stolen remote desktop protocol credentials from cybercrime shops, giving them reliable ways of gaining remote access to a network, which they can leverage for many different types of crime - not just deploying crypto-locking malware.

The city says it's working with everyone from Microsoft and Cisco to the U.S. Department of Homeland Security and Secret Service to SecureWorks and Georgia Tech to help it investigate the incident.

City's Security Problems Persist

For the city of Atlanta, however, beyond the possibility that an employee fell for a phishing attack, there were numerous problems that an attacker might have exploited to gain access to its systems. Information security researcher Kevin Beaumont counts leaving remote desktop protocol - port 3389 - as well as server messaging block - port 445 - open to the internet as just two of them.

They had RDP and SMB (1) exposed to the internet, across lots of servers. (And hilariously still do). They need to do some security work.

Robert Graham, head of offensive security research firm Errata Security, says Atlanta's ransomware outbreak should serve as a wake-up call to all cities - as well as all municipal, county and state governments. But he says it's likely that they'll miss the point.

"They'll misinterpret what happens here. They frequently get individual desktops infected with ransomware, so they falsely believe they are on top of the situation. What happened in Atlanta is a wholly different attack, where ransomware spread to the servers," Graham says via Twitter.

Asking how the ransomware got into the network is the wrong question, Graham adds.

"The question they should be asking is, once inside, how it spread. It spread because it got 'admin' credentials," he says. "The SamSam ransomware is notorious for this. It aggressively looks for admin credentials on any system it effects and uses them to spread to other systems on the local network."

9/ According to news reports, Atlanta has Windows-based web servers with port 445 exposed. It doesn't matter if that was the particular vector SamSam used -- it matters that no sane organization would have those ports exposed.

Graham says that "no sane organization" would have exposed port 445 to the internet. Until the city's IT staff deals with these types of basic information security failures, it remains at risk of becoming a repeat ransomware victim.

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.